There is no cost to attend but registration is required and seating is limited.

This program will provide Boards, C-Suites and General Counsels with best practice strategies for avoiding unauthorized breaches of electronic data; managing them if they occur; and addressing personal liability risks for Boards and executives. The Distinguished Speakers are experienced cyber security experts from Seyfarth Shaw, KPMG, law enforcement, and current directors.

Best Practices for Avoiding and Managing Threats

Cybersecurity experts and industry professionals will share their views on these questions:

What are your top lessons learned from investigating cyber breach incidents?

What are the most important considerations when developing an overall incident response plan?

Potential Liability Risk for the Board

Securities litigators will emphasize the importance of having a clear plan and robust escalation processes to respond quickly and effectively when an incident occurs. Critical issues to be discussed include:

Fiduciary duties and director liability

Cyber risk landscape and regulatory environment

Role of information governance in minimizing damages from cyberattacks

Cyber risk assessment and implementation of defensive technology

Insurance coverage and other risk mitigation strategies

Two hours of New York CLE credits are approved.

If you have any questions, please contact Morgan Coury at mcoury@seyfarth.com and reference this event.

Seyfarth Shaw Partner Jason Priebe was recently interviewed by C4CM regarding his tips for records retention. This thoughtful discussion covered not only record retention policies, but information governance, risk, and potential costs resulting from the increasing volume of data produced during litigation. Jason also provided practical steps to formulate a record retention policy when one is not in place. To learn more, read the full interview here.

November 16, 2018 – President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018, which establishes the Cybersecurity and Infrastructure Security Agency (“CISA”) at the Department of Homeland Security (DHS). The law reorganizes DHS’ National Protection and Programs Directorate (NPPD) into an agency that will focus on cybersecurity threats.

With its promotion to the rank of federal agency, CISA is now on the same level as the Federal Emergency Management Agency (FEMA) and the Secret Service, but still under the DHS’ oversight. The new agency is expected to improve the cybersecurity defenses across other US federal agencies, coordinate cybersecurity programs with states, and bolster the government’s overall cybersecurity protections.

It was also announced that Christopher C. Krebs would serve as CISA’s first director. Mr. Krebs had served as the Under Secretary of the NPPD, the predecessor of CISA. On the day President Trump signed the bill into law, Mr. Krebs tweeted that “The cybersecurity threat is constantly evolving and this reorganization positions us [CISA] to better defend America’s infrastructure from digital and physical threats.” Mr. Krebs added that the new agency would be better able to “accomplish its cybersecurity mission by making it easier to recruit cybersecurity professionals.”

CISA unveiled its new logo on November 28, 2018. With the rise of cybersecurity threats across the country, it is likely that the logo will become a familiar face to many Americans in the coming years.

Seyfarth Synopsis: Please join us at our Chicago Willis Tower office on Thursday, December 6th, for breakfast along with a Seyfarth Legal Forum and Continuing Legal Education (CLE): 2018 Highlights and a Look Ahead to 2019.

About the Program

Providing our clients with a multidisciplinary overview of Legal Hot Button issues and Best Practice. Featuring:

Biometric Information Privacy Act: What a long, strange year it’s been (and there’s more on the way!)

Legalize it: will Illinois go from medical to recreational marijuana and what would that mean to the real estate industry?

Welcome to the Future: It arrived yesterday – The intersection of Technology and Legal Services

Bots, bits and bytes… Artificial Intelligence and its leading role in recent legal projects

The program will feature a panel of Seyfarth Chicago subject matter experts — with an eye toward preparing for the developments in the coming year. Our overview will be targeted at highlighting issues for the General Counsel, Chief Information Officer, Chief Human Resource Officer, and other members of their teams.

The program will consist of an engaging ninety minute presentation with speakers from each of Seyfarth Chicago’s practice groups: Benefits, Corporate, Labor & Employment, Litigation, and Real Estate, as well as an exciting presentation on the use of technology in law. Then, we will offer 30 minute break-out sessions on hot topics warranting a deeper dive that companies are facing when looking at their legal compliance needs. The break-out sessions will address Privacy/Data Security, Managing in the #metoo Environment, and Blockchain/Cryptocurrency in business.

The program is on Thursday, December 6, 2018, at 8:00 a.m. – 8:30 a.m., for breakfast and registration, 8:30 a.m. – 10:00 a.m., for the panel presentations, and 10:00 a.m. – 10:30 a.m., for the breakout sessions. Our offices are at 233 S. Wacker Drive, Suite 8000, in Chicago, IL.

The European Data Protection Board (EDPB) recently issued a report after their November 16, 2018 plenary session. The statement covered a range of topics being discussed by the Board, but no substantive publications. The EDPB is charged with ensuring that GDPR is applied consistently across the EU and that there is consistent enforcement by DPAs across the Union. The Board is also tasked with issuing guidelines on the interpretation the GDPR (formerly the charge of the Article 29 Working Party), and making binding decisions about cross-border disputes. The Board is made up of the head DPA or representatives from each member country.

An EU-Japan adequacy finding appears to be extremely close, and the Board announced they are at work on guidelines about the intersection between Clinical Trials Regulation and the GDPR for medical device and pharmaceutical companies. There have now been four “plenary meetings” of the EDPB. Some may consider no action on the part of the Board a good thing, but there are some significant concepts which eventually need clarification, including a formal process and procedure on appeals of DPA enforcement and fines, and modernization of the outdated Model Contractual Clauses, among other things. The essential message from the EDPB continues to be “stay tuned,” and seems likely that no real substantive publications will come through until early 2019.

Seyfarth eDiscovery Partners Scott Carlson and Jay Carle were recently interviewed by Mary Rechtoris of Relativity regarding “Doing Discovery Right: How Seyfarth Shaw Tackles eDiscovery.” They discuss the Group’s formation, along with the growing importance of eDiscovery attorneys as technology changes both for clients, and in the eDiscovery space.

This morning, the European Commission released a Proposal for a Regulation addressing the EU’s cybersecurity industry as part of its next step towards a Digital Single Market, which is the EU’s strategy to ensure fair competition, consumer and data protection, and removal of copyright and geo-blocking issues for individuals participating in online activities and accessing online content. The Regulation would establish the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres in order to “equip Europe with the right tools to deal with an ever-changing cyber threat.” See their Fact Sheet here. The EU has various initiatives in place to address today’s current cyber threats, as well as the deterrence of future attacks. Specifically, it is working with member states to improve cybersecurity initiatives, EU-level cooperation, and risk prevention, and plans to establish an EU-wide certification framework to ensure products and services are cyber-secure. Today’s proposal carries these initiatives further by suggesting the creation of a Network of Competence Centres and a European Cybersecurity Industrial, Technology and Research Competence Centre “to develop and roll out the tools and technology needed to keep up with an ever-changing threat.” See Fact Sheet. The Commission is hoping that the creation of this Network will allow the many existing cybersecurity competence centres in the EU to pool and share information and expertise, help deploy EU cybersecurity products and solutions, and facilitate cooperation between industries and communities. The Network will unite existing member state centres and allow them to co-invest to drive research and innovation, and allow for additional investment and funding to improve the EU’s digital economy, and the Centre will aid in facilitating the work of the Network.

Under this framework, each EU member state will be responsible for nominating one national coordination centre which will essentially be that country’s leader and representative to the community; these local centres will carry out actions under the Regulation, as well as determine the distribution of funds on a local level. The Commission expects that creation of one, centralized framework will allow for increased coordination and exchange of expertise and knowledge, cost savings though co-investment, and opportunity for the EU to become a global leader in cybersecurity.

Seyfarth Shaw Partner Jordan Vick is on the panel for the “Playing by the Rules: Rule Changes Essential to Your Practice” session on Friday, November 16, at Georgetown Law’s 15th annual Advanced eDiscovery Institute in Washington, D.C.

Session topics include:

The 2015 Amendments to the FRCP and their actual impacts on practitioners, including unintended consequence

How the changes to Federal Rule of Evidence 902 will change how parties and the court can streamline authentication of ESI and potentially eliminate the need to call a witness at trial

What other changes the Rules Committee is discussing that may impact eDiscovery professionals

Pilot accelerated disclosures and their impacts in Illinois and Arizona, including the Mandatory Initial Discovery Pilot Program (“MIDP”) in the Northern District of Illinois

For more information, to see the full schedule, or to register, click here.

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018. The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR. The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors. Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.

The Act provides California residents some rights that also appear familiar. For example:

Consumers can request a copy of all the Personal Information a business has collected;

Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and

Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.

Today, the Information Commissioner’s Office (“ICO”), the UK data protection authority, released for public comment its draft “Regulatory Action Policy,” a document in which the ICO seeks to set forth its objectives in taking regulatory action, present its new investigatory and enforcement powers, and explain how it aims to use them. The comment period will close on June 28, 2018.

With three weeks remaining until the General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) takes effect, this draft document provides organizations with a much needed insight into how the ICO plans to proceed in the age of new data protection compliance realities. In addition to the GDPR, the ICO will be enforcing the upcoming update to UK’s national data protection law, the UK Data Protection Act 2018 (the “DPA”), which is still working its way through Parliament, but should be in place by May 25, 2018, as well as other established data protection legislation.

The “Regulatory Action Policy” explains that ICO will have the power to issue “urgent” information notices that will require a response within 24 hours, take notice recipients who fail to comply to court on contempt charges, inspect and assess compliance without notice, administer fines by way of penalty notices, and prosecute criminal offences in court. The ICO’s powers to prosecute failures to provide information and its ability to go to court to request a warrant to search premises will come from the DPA, not GDPR.

The DPA also will permit the ICO to issue “assessment notices” to data controllers and processors to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may require the organization to give the ICO access to premises and specified documentation and equipment. An “urgent” assessment notice may require access to non-domestic premises on less than 7 days’ notice, which in effect will allow the ICO to carry out a no-notice inspection. An organization that receives an “urgent” information notice, assessment notice, or enforcement notice may petition the court to overturn the urgency of that notice. Under the DPA, destruction or falsification of information the ICO is pursuing in its notice constitutes a criminal offence. However, similarly to the U.S. evidence spoliation principles, it appears that loss of information through routine operation of automated processes may be a defense to criminal charges.

About Seyfarth's eDiscovery and Information Governance Team

Seyfarth Shaw’s eDiscovery and Information Governance (eDIG) attorneys dedicate 100% of their practices to eDiscovery and information governance issues, advising and litigating on these complex matters efficiently, effectively and creatively. Seyfarth is one of the few law firms with a truly dedicated eDiscovery practice group — one that began well before the Federal Rules of Civil Procedure were amended in 2006. We bring experience and talent to craft practical and defensible approaches to meet discovery obligations in litigation to comply with statutory and regulatory rules while managing the costs and the realities of operating a business in today’s economy. We have worked with some of the country’s largest companies on eDiscovery issues in specific major litigation as well as broader strategic approaches to eDiscovery.